Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall best practices

From: Nate Itkin <fw-wizards () konadogs net>
Date: Tue, 27 Apr 2010 08:43:08 -1000
On Tue, Apr 27, 2010 at 10:45:02AM +0100, John Morrison wrote:

My understanding of https (and other PKI-based encryption) is that
only the holder of the private key can decrypt the data encrypted with
the other (public) key in the pair. My view is that the firewall can
only decrypt and inspect https traffic if it is acting as the server
to the external client. It can't intercept and decrypt https traffic
destined for another device - the real server. If it did https would
be worthless. Any hacker could buy such a firewall to sniff and
decrypt all https traffic.


Products that inspect https traffic do so with a man-in-the-middle
strategy. It requires configuring the browser to accept certificates 
signed by the firewall's certificate authority.

- Nate Itkin
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: